Apple released a new version of iOS yesterday with a handful of new features, including collaborative playlists in Apple Music and a new Unity wallpaper for Black History Month. Another interesting new feature in iOS 17.3 is something called stolen device protection. It’s off by default, and I encourage iPhone users to turn it on when they’ve updated to iOS 17.3.
This feature is the result of a research by Joanna Stern and Nicole Nguyen for the Wall Street Journal. They discovered that the thieves were stealing money and accessing sensitive data that is supposed to be stored securely on an iPhone and the associated iCloud account.
The reason the passcode is such important information is that you can use it to unlock a phone and change certain settings. Even when Face ID (or Touch ID) is enabled, you can use the passcode as an alternative method to unlock a phone and change settings.
iPhone thieves take advantage of this feature to go to bars late at night and talk to strangers to get their passwords from them.
For example, an iPhone thief he said Joanna Stern that he would tell his victims that he wanted to add them on Snapchat. Since it’s often easier to enter your contact information directly into someone else’s phone rather than saying it out loud, the thief would say they can type in their username directly.
When the person handed over the phone, the thief would lock the phone and say the iPhone is locked. Then it just asked for the password and remembered it for later.
After a phone is stolen, the passcode can be used to unlock the device and change the Apple ID password in the phone’s settings. This way, Find My iPhone can be disabled, which means the target can’t remotely wipe their device.
Many iPhone users also store passwords, such as banking app passwords, in their iCloud Keychain, as well as credit card information in their Safari AutoFill preferences. Thieves can also open encrypted notes in the Notes app to see if you’ve saved your social security numbers there.
They can also use Apple Pay directly. Once again, the passcode can be used if Face ID fails — thieves can also register their own face in Face ID if they have the device’s passcode.
Apple gives you an hour to wipe your device remotely
As a protection mechanism, Apple has introduced stolen device protection in iOS 17.3. When enabled, some actions will require Face ID or Touch ID biometric authentication, such as accessing saved passwords and credit cards.
In addition to requiring Face ID or Touch ID authentication, changing your Apple ID password, changing your password, and turning off stolen device protection also require a security delay. When you first try to perform this action, the iPhone tells you that you need to wait at least an hour to make a critical change.
This way, if someone steals your device, you have the opportunity to wipe your iPhone remotely using another device to make sure your data remains safe. There is one exception though. If you’re in a familiar location like your home or work, you don’t have to wait an hour to make a critical change.
It’s not perfect, but Apple is trying to find the right balance between security and convenience. You can head to Settings > Face ID & Passcode > Stolen Device Protection to enable this new security feature.
